3 data security best practices learned from FTC enforcement actions

One of the biggest takeaways from Judge Esther Salas’ recent opinion in FTC v. Wyndham Worldwide Corp., et al was that in the absence of formal Federal Trade Commission (FTC) rules on data security practices, companies should consider the settlements and advisory opinions from prior FTC enforcement actions for guidance. Accordingly, we have compiled a list of three major practices cited in recent data security enforcement actions, along with the best practices that companies should consider implementing.

Non-conforming privacy policy

The most frequent reason companies face FTC enforcement action continues to be a general failure to conform data security practices to data security policies — a practice the FTC has repeatedly argued is deceptive. Two of the most prominent FTC’s actions relating non-conforming privacy policies have involved Google.

In U.S. v. Google, Inc., the FTC filed a complaint alleging that Google’s practice of adding cookies within Apple’s Safari browser, even after a user specifically opted against cookies, was deceptive in light of Google’s representations in its Advertising Cookie Opt-Out Plug-in page.

Google was again challenged by the FTC in In re Google, Inc.for its unauthorized reuse of e-mail users’ personal information on its social network, Google Buzz. Google’s posted privacy policy had included language stating, “When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.” Their failure to follow their stated policy led to the FTC enforcement action.

Best Practice:Review all privacy and security policies with a keen eye towards what is promised and what is delivered. While failing to provide a certain data security measures may or may not be seen as unfair by the FTC, claiming that your company provides a level of security that it does not can be considered deceptive.

Monitoring vulnerability reports

Failing to actively monitor security vulnerability reports from third-party researchers, academics or other members of the public, known as external vulnerability reports, is also likely to trigger FTC enforcement action. Even more than just having a mechanism for receiving vulnerability reports, the FTC is concerned with how the vulnerability reports are monitored and addressed. In a recent case, In re Fandango, the FTC alleged that Fandango failed to properly acknowledge a message from a third party researcher about a potential security vulnerability. Instead, the researcher’s message was mistaken for a customer service issue and ignored. Thus, even though Fandango received a vulnerability report, it lacked a mechanism for reviewing these reports which led to consumer harm.

Best Practice: Create and monitor external security vulnerability reporting channels so that third party data security professionals and others can notify your company of potential issues. Additionally, create a protocol by which information received from vulnerability reports can be transmitted to the appropriate employees. As in the Fandango case, it is not enough to have vulnerability reports channeled only through customer service, particularly for large companies with many employees and departments.

Security by Design

As a corollary to supervising the work of third party developers, the FTC is concerned with the safety of the software or application itself, (i.e. “Security by Design”). In the HTC case, the FTC alleged that HTC, a mobile device manufacturer, failed to test the software on its mobile devices for potential security vulnerabilities and failed to follow commonly accepted secure coding practices. According to the FTC, these failures resulted in HTC’s creation of numerous security vulnerabilities. Malicious applications could take advantage of the vulnerabilities to gain access to sensitive data on a device, or even control the device itself. For example, a default setting on HTC mobile devices required third-party applications to get a user’s permission to access a mobile device’s microphone. Unfortunately, HTC pre-installed a custom voice recorder application which did not require the user’s permission, and if exploited, would allow a third-party application control of the microphone, even if the application hadn’t asked for the user’s permission. Although the fix required a simple coding change, HTC failed to undertake the change.

Best Practice: As noted on the FTC’s blog, “Savvy companies build Security By Design into every aspect of their business.” At every step of software development and implementation, companies should consider the impact to data security, particularly with respect to how mobile and web applications potentially interact. As companies work with developers to create and revise applications, it is a good practice to ask developers about the inclusion of data security measures from the outset. In the FTC’s guidance issued in the mobile space, entitled “Mobile App Developers: Start with Security,” the Agency specifically recommends that developers include security before releasing an application. “Getting your product working and accepted by an app store are two key milestones. But there’s a critical third step: anticipating and preventing potential security glitches.”

In addition to these three practices, the Wyndham case itself provides a great reminder of other simple data security measures that should be implemented by companies. Some of the FTC’s allegations in Wyndham can serve as a checklist for businesses and their legal counsel. For instance, the FTC alleged, among other things, that Wyndham failed to: (a) change passwords from default settings, (b) adequately inventory computers that had access to the Wyndham network, (c) maintain firewalls, (d) upload security patches, or (e) encrypt financial information. As a starting point companies should ensure that, unlike Wyndham, they implement these basic security measures for their networks and systems. For further guidance, business enterprises should also consult the FTC’s guide, “Protecting Personal Information: A Guide for Business,” which details many of these basic steps and is a good starting point to ensure minimum standards.